What are dynamic external objects/groups and how can we configure it?
05/07/2020 2 2396
A Dynamic External Address Group is an Address Group whose members are dynamic. Dynamic External Address Objects are intermediate, internal objects that are dynamically created and placed under a Dynamic External Address Group when a Dynamic External Address Group file is downloaded. The Dynamic External Objects feature eliminates the need for manually modifying an Address Group to add or remove members.
Dynamic External Objects Page:
Multiple Dynamic External Address Groups can be configured, and you can use these DEAGs in access rules or policies. For example, if you want to maintain a group for all partner IP addresses on which certain access rules are enforced, you can create a Dynamic External Address Group / Dynamic External Object.
- Navigate to Manage | Objects | Dynamic External Objects to look at the configured objects.
- Under Comments, a green circle indicates that the DEAG file was successfully downloaded, while a red circle indicates an error.
Dynamic External Address Group File:
The Dynamic External Address Group file (DEAG file) contains a list of IP addresses or Fully Qualified Domain Names (FQDNs) that define the DEAOs which are members of the DEAG. The DEAG file resides externally, on a server for FTP access or on a web page at a specific URL for HTTPS access. The list of IP addresses or FQDNs can be modified at the external location and the associated DEAOs and DEAG in SonicOS are dynamically updated with those changes, if configured to periodically download the file. The DEAG file can contain a text list of either IP addresses or FQDNs formatted as follows:
- A list of IP addresses, one per line. It can include subnets specified in CIDR format.
- A list of FQDNs, one per line. An FQDN is a character string such as www.example.com. It cannot contain any wildcard (*) characters.
- A mixed list of FQDNs and IP addresses/subnets, one per line.
This is only supported for FQDN type DEAGs. A non-FQDN type DEAG will not accept FQDNs in the DEAG file. However, it is not recommended to mix and match IP addresses and FQDNs in the DEAG file, because the IP addresses in this list will also be treated as FQDNs and SonicOS will attempt to resolve them. A better way to mix these input types is to create individual DEAGs of FQDN type and non-FQDN type and then add both DEAGs to a separate address group for use in access rules. For every DEAG, a DEAO with the IP address 0.0.0.0 is automatically created. For example, if there is only one DEAG, the maximum number of IP addresses in the DEAG file is one less than the maximum number of DEAOs allowed, as defined in DEAG and DEAO Maximums.
DEAG and DEAO Maximums:
- The maximum number of DEAGs, including both IP address and FQDN types, is 25% of the total number of address groups supported by the device.
- The maximum number of DEAGs that can be created cannot exceed the number of address groups remaining before exceeding the total number supported on the firewall. For example, if a device supports 1024 Address Groups and you are using only 20 Address Groups, then 256 DEAGs (25% of 1024) can be created. However, if you have already manually created 1000 Address Groups, then only 24 DEAGs can be created.